Re: Request for discussion.

[newsham () aloha net (Timothy Newsham)]

> == - collect suid programs into common directory, or perhaps
> ==   a seperate directory for uid/gid. (both in src and bin form).
> == rationale:  Increase awareness of security critical programs.
> ==   Make it easier to check all suid programs at once.
> difficult for administration, particularly when patching or updating a package
> akin to smail.  suggestion:  run find with a -exec sum option.  collect and
> store in a truly safe place (e.g. a floppy disk).  set up cron to run a
> comparison job (e.g. run find for suid/sgid, perform sum, mount floppy,then
> compare).  perhaps link suid/sgid binaries to a common, *hidden* directory
> for easy reference?  use soft links to avoid easy detection.

You are addressing my post as if these were things I'd like done
to a single machine.  Rather this is my wishlist for "the way
I'd like to see things done".  When I say seperate suids I mean
I'd like the default suid binaries to all be in one directory,
and their sources in another.  I think "real" systems will always
have a /usr/local that doesn't quite follow the same layout as
their base system.

> == - database of priveledged programs and dependencies.  Ie config
> ==   files, temp files, directories, databases, etc.
> == rationale:  Keep track of assumptions in security critical programs.
> ==   Avoid holes that arise out of changing an assumption (example
> ==   making utmp world readable).  Make it easier for automated
> ==   checks (ie. world writeable directories like preserve and
> ==   msgs).
> i like this.  in fact, i stress such things when i perform security audits.
> caveat:  do *NOT* store this database on-line.  perhaps set up a secure,
> stand-alone machine (be cheesy:  ifconfig down) for storage of security
> info.

I think making this public knowledge will give the best results in
the end.  If this was a setup for a single system or group of
systems then hiding any security auditing you've done might
be a good idea.

> == - system list of users allowed to use suid and sgid.  Suid
> ==   binaries not run if file owner not allowed to use suid/sgid.
> == rationale:  reduce the ability to store priveledge on a filesystem.
> users would not be able to send mail.  users would not be able to rlogin/remsh.
> this is too sweeping a gesture, although the intent is good.  suggestion:
> write wrapper binaries around the suid/sgid commands.  log activity.  makes
> a nice complement to some of the daemon wrappers.

Ugh.  I didn't state this clearly.  Please read my response posted to
usenet.

> very good thoughts.  enjoy good horror stories?  read the Morris and Bellovin
> papers.  the idea above needs no more support than that.

read them quite a while ago.

> o robert owen thomas: Unix consultant. MAILER-DAEMON. user scratching post. o